Language Selection

English French German Italian Portuguese Spanish

Linux

Kernel: Zinc and 4.20 Merge Window

Filed under
Linux
  • Zinc: a new kernel cryptography API

    We looked at the WireGuard virtual private network (VPN) back in August and noted that it is built on top of a new cryptographic API being developed for the kernel, which is called Zinc. There has been some controversy about Zinc and why a brand new API was needed when the kernel already has an extensive crypto API. A recent talk by lead WireGuard developer Jason Donenfeld at Kernel Recipes 2018 would appear to be a serious attempt to reach out, engage with that question, and explain the what, how, and why of Zinc.

    WireGuard itself is small and, according to Linus Torvalds, a work of art. Two of its stated objectives are maximal simplicity and high auditability. Donenfeld initially did try to implement WireGuard using the existing kernel cryptography API, but after trying to do so, he found it impossible to do in any sane way. That led him to question whether it was even possible to meet those objectives using the existing API.

    By way of a case study, he considered big_key.c. This is kernel code that is designed to take a key, store it encrypted on disk, and then return the key to someone asking for it if they are allowed to have access to it. Donenfeld had taken a look at it, and found that the crypto was totally broken. For a start, it used ciphers in Electronic Codebook (ECB) mode, which is known to leave gross structure in ciphertext — the encrypted image of Tux on the left may still contain data perceptible to your eye — and so is not recommended for any serious cryptographic use. Furthermore, according to Donenfeld, it was missing authentication tags (allowing ciphertext to be undetectably modified), it didn't zero keys out of memory after use, and it didn't use its sources of randomness correctly; there were many CVEs associated with it. So he set out to rewrite it using the crypto API, hoping to better learn the API with a view to using it for WireGuard.

    The first step with the existing API is to allocate an instance of a cipher "object". The syntax for so doing is arguably confusing — for example, you pass the argument CRYPTO_ALG_ASYNC to indicate that you don't want the instance to be asynchronous. When you've got it set up and want to encrypt something, you can't simply pass data by address. You must use scatter/gather to pass it, which in turn means that data in the vmalloc() area or on the stack can't just be encrypted with this API. The key you're using ends up attached not to the object you just allocated, but to the global instance of the algorithm in question, so if you want to set the key you must take a mutex lock before doing so, in order to be sure that someone else isn't changing the key underneath you at the same time. This complexity has an associated resource cost: the memory requirements for a single key can approach a megabyte, and some platforms just can't spare that much. Normally one would use kvalloc() to get around this, but the crypto API doesn't permit it. Although this was eventually addressed, the fix was not trivial.

  • 4.20 Merge window part 2

    At the end of the 4.20 merge window, 12,125 non-merge changesets had been pulled into the mainline kernel repository; 6,390 came in since last week's summary was written. As is often the case, the latter part of the merge window contained a larger portion of cleanups and fixes, but there were a number of new features in the mix as well.

Zentyal 6.0 Released

Filed under
GNU
Linux
Server

Qualcomm and Intel: a Linux Perspective

Filed under
Linux
Hardware
  • SBC showcases Qualcomm’s 10nm, octa-core QCS605 IoT SoC

    Intrinsyc’s compact “Open-Q 605” SBC for computer vision and edge AI applications runs Android 8.1 and Qualcomm’s Vision Intelligence Platform on Qualcomm’s IoT-focused, octa-core QCS605.

    In April, Qualcomm announced its QCS605 SoC, calling it “the first 10nm FinFET fabricated SoC purpose built for the Internet of Things.” The octa-core Arm SoC is available in an Intrinsyc Open-Q 605 SBC with full development kit with a 12V power supply is open for pre-orders at $429. The products will ship in early December.

  • Second-gen Intel Neural Compute Stick shows off new Myriad X VPU

    Intel has launched a $99 “Neural Compute Stick 2” AI accelerator built around a new Myriad X VPU that adds a Neural Compute Engine and more cores for up to 8x greater performance.

    Intel may be scaling back a bit on its IoT business, but it continues to push hard with the Myriad neural network acceleration technology it acquired when it bought Movidius. Intel has just released its third-gen “Myriad X” technology for AI acceleration on edge devices, debuting on a $99 Intel Neural Compute Stick 2 (NCS2).

LF Deep Learning Delivers First Acumos AI Release Making it Easier to Deploy and Share Artificial Intelligence Models

Filed under
Linux
  • LF Deep Learning Delivers First Acumos AI Release Making it Easier to Deploy and Share Artificial Intelligence Models

    The LF Deep Learning Foundation, a project of The Linux Foundation that supports open source innovation in artificial intelligence (AI), machine learning (ML), and deep learning (DL), today announced the availability of its first software release of the Acumos AI Project – Athena.

    Acumos AI is a platform and open source framework that makes it easy to build, share and deploy AI applications. Acumos AI standardizes the infrastructure stack and components required to run an out-of-the-box general AI environment. This frees data scientists and model trainers to focus on their core competencies and accelerate innovation.

  • Linux Foundation's Acumos Wants To Make It Easier Deploying AI Apps

    The latest software initiative out of the Linux Foundation -- and in particular their Deep Learning Foundation -- is the Acumos AI "Athena" release that tries to make it easier dealing with artificial intelligence apps.

    Acumos Athena is an effort to make it easier to deploy AI applications across private/public clouds and other environments. Acumos is a framework for building, sharing, and deploying AI applications and provides a standardized stack for these components.

AMD Hiring Another Mesa/RadeonSI Driver Developer, Changes for Linux 4.21

Filed under
Linux
Hardware
  • AMD Is Hiring Another Mesa/RadeonSI Driver Developer

    AMD is hiring another open-source Linux graphics driver developer with a focus on the Mesa/RadeonSI driver stack.

    There is a new job posting for a Senior Software Development Engineer with a focus on open-source graphics. This job role will be working on their open-source graphics driver, work on driver bring-up, debug issues, improve driver performance, coordinate with Linux distributions, and engage with the open-source graphics development community. I've been able to confirm with AMD that this is focused on their Mesa/RadeonSI driver as opposed to say just their AMDGPU kernel driver.

  • AMD Stages Latest Radeon/AMDGPU Changes For Linux 4.21 Kernel

    AMD has posted their initial set of AMDGPU driver changes slated to go into the future Linux 4.21 kernel by way of DRM-Next.

    This is the first of likely two or three feature pull requests to DRM-Next for staging until the Linux 4.21 kernel cycle kicks off in the final days of 2018 or early 2019.

Results: Linux Foundation Technical Board Election 2018

Filed under
Linux

The results of the 2018 election for members of the Linux Foundation's Technical Advisory Board have been posted; the members elected this time around are Chris Mason, Laura Abbott, Olof Johansson, Dan Williams, and Kees Cook. Abbott and Cook are new members to the board this time around. (The other TAB members are Ted Ts'o, Greg Kroah-Hartman, Jonathan Corbet, Tim Bird, and Steve Rostedt).

Read more

10 Linux Commands For Network Diagnostics

Filed under
Linux

It is difficult to find a Linux computer that is not connected to the network, be it server or workstation. From time to time it becomes necessary to diagnose faults, intermittence or slowness in the network. In this article, we will review some of the Linux commands most used for network diagnostics.

Read<br />
more

Variscite unveils its first i.MX8X module

Filed under
Android
Linux

Variscite’s “VAR-SOM-MX8X” COM runs Linux or Android on NXP’s up to quad -A35 core i.MX8X SoC with up to 4GB LPDDR4 and 64GB eMMC, plus WiFi/BT, dual GbE controllers, and -40 to 85°C support.

Variscite has launched its first i.MX8X-based computer-on-module. The 67.6 x 51.6mm VAR-SOM-MX8X runs Yocto Project based Linux or Android on NXP’s dual- or quad-core Cortex-A35 based, 1.2GHz i.MX8X. The up to -40 to 85°C tolerant module is aimed at industrial automation and control, defense, medical, telematics, building control, failover displays/HMI, and robotics applications. The only other i.MX8X module we’ve seen is Phytec’s Linux-compatible, 55 x 40mm phyCORE-i.MX 8X module.

Read more

Top 20 Best Tizen Apps for October 2018

Filed under
Linux

This is the monthly rundown of the most downloaded apps from the Tizen Store for your Tizen mobile. This time its October 2018. WhatsApp still has the number #1 spot and it doesn’t look like it will be leaving that anytime soon. There are a few new entry games like Counter Terror: Pursuit, Sweet candy fever, Monster simulator trigger city, and also utilities like Transparent screen.

Read more

Stable kernels 4.19.2, 4.18.19, 4.14.81, and 4.9.137

Filed under
Linux
Syndicate content

More in Tux Machines

Deepin 15.8 - Attractive and Efficient, Excellent User Experience

Deepin is an open source GNU/Linux operating system, based on Linux kernel and desktop applications, supporting laptops, desktops and all-in-ones. deepin preinstalls Deepin Desktop Environment (DDE) and nearly 30 deepin native applications, as well as several applications from the open source community to meet users’ daily learning and work needs. In addition, about a thousand of applications are offered in Deepin Store to meet your more needs. deepin, developed by a professional operating system R&D team and deepin technical community (www.deepin.org), is from the name of deepin technical community - “deepin”, which means deep pursuit and exploration of the life and the future. Compared with deepin 15.7, the ISO size of deepin 15.8 has been reduced by 200MB. The new release is featured with newly designed control center, dock tray and boot theme, as well as improved deepin native applications, hoping to bring users a more beautiful and efficient experience. Read more

Kernel: Zinc and 4.20 Merge Window

  • Zinc: a new kernel cryptography API
    We looked at the WireGuard virtual private network (VPN) back in August and noted that it is built on top of a new cryptographic API being developed for the kernel, which is called Zinc. There has been some controversy about Zinc and why a brand new API was needed when the kernel already has an extensive crypto API. A recent talk by lead WireGuard developer Jason Donenfeld at Kernel Recipes 2018 would appear to be a serious attempt to reach out, engage with that question, and explain the what, how, and why of Zinc. WireGuard itself is small and, according to Linus Torvalds, a work of art. Two of its stated objectives are maximal simplicity and high auditability. Donenfeld initially did try to implement WireGuard using the existing kernel cryptography API, but after trying to do so, he found it impossible to do in any sane way. That led him to question whether it was even possible to meet those objectives using the existing API. By way of a case study, he considered big_key.c. This is kernel code that is designed to take a key, store it encrypted on disk, and then return the key to someone asking for it if they are allowed to have access to it. Donenfeld had taken a look at it, and found that the crypto was totally broken. For a start, it used ciphers in Electronic Codebook (ECB) mode, which is known to leave gross structure in ciphertext — the encrypted image of Tux on the left may still contain data perceptible to your eye — and so is not recommended for any serious cryptographic use. Furthermore, according to Donenfeld, it was missing authentication tags (allowing ciphertext to be undetectably modified), it didn't zero keys out of memory after use, and it didn't use its sources of randomness correctly; there were many CVEs associated with it. So he set out to rewrite it using the crypto API, hoping to better learn the API with a view to using it for WireGuard. The first step with the existing API is to allocate an instance of a cipher "object". The syntax for so doing is arguably confusing — for example, you pass the argument CRYPTO_ALG_ASYNC to indicate that you don't want the instance to be asynchronous. When you've got it set up and want to encrypt something, you can't simply pass data by address. You must use scatter/gather to pass it, which in turn means that data in the vmalloc() area or on the stack can't just be encrypted with this API. The key you're using ends up attached not to the object you just allocated, but to the global instance of the algorithm in question, so if you want to set the key you must take a mutex lock before doing so, in order to be sure that someone else isn't changing the key underneath you at the same time. This complexity has an associated resource cost: the memory requirements for a single key can approach a megabyte, and some platforms just can't spare that much. Normally one would use kvalloc() to get around this, but the crypto API doesn't permit it. Although this was eventually addressed, the fix was not trivial.
  • 4.20 Merge window part 2
    At the end of the 4.20 merge window, 12,125 non-merge changesets had been pulled into the mainline kernel repository; 6,390 came in since last week's summary was written. As is often the case, the latter part of the merge window contained a larger portion of cleanups and fixes, but there were a number of new features in the mix as well.

Limiting the power of package installation in Debian

There is always at least a small risk when installing a package for a distribution. By its very nature, package installation is an invasive process; some packages require the ability to make radical changes to the system—changes that users surely would not want other packages to take advantage of. Packages that are made available by distributions are vetted for problems of this sort, though, of course, mistakes can be made. Third-party packages are an even bigger potential problem because they lack this vetting, as was discussed in early October on the debian-devel mailing list. Solutions in this area are not particularly easy, however. Lars Wirzenius brought up the problem: "when a .deb package is installed, upgraded, or removed, the maintainer scripts are run as root and can thus do anything." Maintainer scripts are included in a .deb file to be run before and after installation or removal. As he noted, maintainer scripts for third-party packages (e.g. Skype, Chrome) sometimes add entries to the lists of package sources and signing keys; they do so in order to get security updates to their packages safely, but it may still be surprising or unwanted. Even simple mistakes made in Debian-released packages might contain unwelcome surprises of various sorts. He suggested that there could be a set of "profiles" that describe the kinds of changes that might be made by a package installation. He gave a few different examples, such as a "default" profile that only allowed file installation in /usr, a "kernel" profile that can install in /boot and trigger rebuilds of the initramfs, or "core" that can do anything. Packages would then declare which profile they required. The dpkg command could arrange that package's install scripts could only make the kinds of changes allowed by its profile. Read more

SpamAssassin is back

The SpamAssassin 3.4.2 release was the first from that project in well over three years. At the 2018 Open Source Summit Europe, Giovanni Bechis talked about that release and those that will be coming in the near future. It would seem that, after an extended period of quiet, the SpamAssassin project is back and has rededicated itself to the task of keeping junk out of our inboxes. Bechis started by noting that spam filtering is hard because everybody's spam is different. It varies depending on which languages you speak, what your personal interests are, which social networks you use, and so on. People vary, so results vary; he knows a lot of Gmail users who say that its spam filtering works well, but his Gmail account is full of spam. Since Google knows little about him, it is unable to train itself to properly filter his mail. Just like Gmail, SpamAssassin isn't the perfect filter for everybody right out of the box; it's really a framework that can be used to create that filter. Getting the best out of it can involve spending some time to write rules, for example. Read more